By Prof Rom Feria
Almost every week, if not daily, we hear about security breaches happening to online services. It happens to even the largest IT companies in the planet today, Facebook and Google. Securing your data online is a cat-and-mouse game against our cybersecurity specialists, and criminals, and it is never-ending. What can you do to minimize the impact of having your data compromised? Here’s a list of tips that you may want to consider:
When buying computer and other IT hardware, make sure that you trust the reseller, and the manufacturer. Malicious resellers can pre-install malware on your computer before handing it to you. Whilst you may think that they’re harmless, e.g., trial versions of third-party software, it is not impossible for them to install key-loggers, and remote access trojans (RATs).
So the first thing to do, before you even consider connecting it to your home network, is to do a factory-reset, and reformat. Reformatting will help you remove these malware, and give you full control of your computer.
Update! Update! Update!
How many times have you been frustrated when your computer won’t shutdown because it is applying an update? And worse, it happens when you are in a hurry. Sorry, but I don’t use Windows OS, so this isn’t a pain point for me, but I have seen friends struggle with this. Anyway, don’t take this lightly, the update plugs holes in the operating system, fixes the vulnerabilities that were discovered to keep your system secure.
It is always good practice to keep your operating system, software, specially your anti-virus software, and, don’t forget, firmware, updated to the latest. The reason why there is an update available is not to frustrate you, but to fix vulnerabilities. Again, don’t forget your broadband router, your smartphone, tablet, smart watch, and other home automation devices – they all need to be updated regularly as well.
Trusted Software Source
Similar to buying your hardware from trusted sources, the same can be said of software. I do not recommend installing pirated software, or side-loading your smartphones with software installers from untrusted sources. I can even go to the extreme of being wary of software from friends and family (not that you don’t trust them, but do you trust where they got the software?), unless you are confident of the integrity of the software installer.
Choose long passwords that are random. I recommend having passwords like horse-banana-hankering-responsive-immanent-1945. Long enough to increase the time to crack it, but easy to type. Remember, there is no such a thing as an uncrackable password, but the longer your password is, the more you can prevent hackers from cracking it quickly.
It is highly tempting to reuse passwords. You should never reuse passwords. It is best practice to use password managers (not PostIt notes on your screen, or table) – I use 1Password on all my devices.
To add more security, I highly recommend that you enable multi-factor authentication. Most popular implementation is the Two Factor Authentication (2FA), using either an application that generates time-limited one-time-passwords (OTP), or using a hardware dongle, such as the Yubikey. There are 2FAs that use SMS – as much as possible, avoid using SMS, it is not secure.
Some websites allow you to login using your social network accounts. Do not do this. Sign-up using your e-mail and create a unique password for that site. Yes, it is an added hassle, but if you have a password manager, it wouldn’t be. If a site only requires social network login, forget about that site. Their service is not worth your data.
Lock-screen and Passcodes
Enable passwords on your computer and devices. It introduces an extra step necessary before you can use your device, but that extra step also provides that extra level of security.
Set your devices to auto-lock after your preferred duration of inactivity, but don’t set it for too long. In my case, it’s set for 2 minutes, on my MacBook Pro, and 30-seconds on my iPhone.
There is currently a move to have all websites have HTTPS, a secure way to transport data over HTTP. In general, this is a great idea, specially for transactional websites, e.g., banking, e-mail, and all sites that require a username and password to access. However, for non-transactional websites, HTTPS is an option, but not really necessary.
Ad Tracking Blockers
Some criminals embed online advertisements on websites to install malware. It is also good practice to use ad tracking blocking software. On the desktop, I use Safari and Firefox, that natively blocks trackers. There are add-ons and/or plugins that you can also install on your browser. On mobile, I only use Safari and Firefox, in some cases, DuckDuckGo and Brave browsers, paired with third-party ad tracking blockers.
Some browsers have settings that allow it to automatically open downloaded files. Please turn it off to make it more difficult for criminals to install malware inadvertently.
E-mail has been beautified with Rich Text and HTML formatting, e.g., images automatically getting rendered and displayed. Similar to how criminals use embedded online advertisements to install malware, they also do this via e-mail.
A tip here is to make your e-mail boring. Yes, look for a setting that uses plaintext, instead of Rich Text and/or HTML, and disable background download of any attachment, or images embedded on the e-mail.
Auto-delete any e-mail with attachment that you did not ask for, even if it comes from your family, or friend. You will never know if s/he has been hacked, unless you ask. I have received e-mail from friends’ e-mail addresses that I know are inactive -e-mail automatically binned.
Do Not Touch
If you can avoid it, do not click/touch on any link, specially those hiding behind URL shorteners. If and when you can, try to expand the shortened link first, and examine the URL before you visit it.
It is also recommended to re-type the URL, if you could, because that “a” on that apple.com URL link may actually not be an “a”, but it looks like an “a” – to prevent something like this from happening.
Enable WiFi Password
Do not forget to change the default admin account of your broadband router/wifi access points. Once you have changed the admin account and password, immediately change the WiFi password. Use WPA2 encryption, until the new standard becomes available. As I have mentioned above, check if the firmware is up to date.
Scan Your Network Traffic
Whilst this may be over the top, but if you can, do scan your devices’ network traffic. Check if there is suspicious network activity, specially upload traffic. If you can scan the network for rogue or unauthorized devices, then better – you can block them right away.
Minimize Data Footprint
The weakest link in cybersecurity is always the user. Social engineering is the most effective way to get as much information necessary to compromise your computer, and/or smartphone, or your network.
I recommend minimizing the amount of personal information available online. That innocent photo of your recent vacation, or that photo of the bubble tea you enjoyed, contain metadata that reveal what device you are using (and if its software has been updated or not), your location, and your routine. Or that seemingly innocent birthday greeting to your family and friends reveals their birthday to everyone. These tiny bits of data are aggregated to create your profile, and if you are interesting enough, can identify you as a potential target. These information can and will be used against you.
So the less information you share online, the better. The less information you share to third-party companies that use your data to generate revenue, the better. Remember, it is better to be safe than sorry.